Security in accessing and transmitting information is as crucial as security to protect physical possessions. Conventional security devices, such as combination locks, may include devices that control access based on possession of a virtual “key,” such as in the form of private information (e.g., a passcode). A passcode is a combination of a sequence of characters, such as letters, numbers, special characters, or any combination thereof. In the digital realm, passcode-based locks are emulated by digital passcode-based security devices, such as a key pad on an automatic teller machine (ATM) or a card reader for a debit card personal identification number (PIN) key pad. These digital passcode-based security devices are generally special-purpose hardware devices (i.e., lacking a general purpose operating system/kernel to run different functional components) that control access to a system based on a user's knowledge of a passcode. Conventional digital passcode-based security devices are implemented on special-purpose devices because of the ability to build concealment structures, such as a shield wall around the PIN key pad, around the special-purpose devices. Further, conventional digital passcode-based security devices are implemented on special-purpose devices because, among other reasons, any general-purpose device may be more vulnerable to installation of malware (i.e., software designed to overcome security without authorization).
For example, in a conventional transaction where payment is made by using a point-of-sale electronic payment card (e.g., a debit card or smart card such as a Europay, MasterCard, and Visa (EMV) card), a cardholder's identity and/or authenticity is confirmed by requiring the cardholder (“user”) to enter a PIN rather than or in addition to signing a paper receipt. A user may enter a PIN entry on a PIN pad on a special-purpose card reader, on which a protective shield may partially surround the PIN pad. The card reader then retrieves an authentic PIN from the smart card. The user-entered PIN is compared against the authentic PIN from the smart card. Authorization of the use of the card is then granted when the user PIN entry matches the authentic PIN.
The example above involves using a special-purpose device to authorize a user, instead of using a general-purpose device, i.e., a device that has an operating system enabling any third party software application to run on it. A general-purpose device enables ease of implementation of security sensitive applications. For example, general-purpose devices may include personal computers, smart phones (e.g., Android phone or iPhone), or tablet computers (e.g., iPad, Kindle, Galaxy Tab, etc.). The ability to use general-purpose devices to implement a passcode-based authentication system enables merchants and consumers who wish to use or implement a secured authentication system to use devices they already own for that purpose. General-purpose devices also enable a wider selection of presentation capabilities, and thus enabling integration of a storefront with a payment authentication system.
The figures depict various embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.